RDoc documentation generated by rdoc bundled with ruby are
vulnerable to an XSS exploit. All ruby users are recommended to
update ruby to newer version which includes security-fixed RDoc. If
you are publishing RDoc documentation generated by rdoc, you are
recommended to apply a patch for the documentaion or re-generate it
with security-fixed RDoc.

Unrestricted entity expansion can lead to a DoS vulnerability in
REXML. (The CVE identifier will be assigned later.) We strongly
recommend to upgrade ruby.

When reading text nodes from an XML document, the REXML parser can
be coerced in to allocating extremely large string objects which
can consume all of the memory on a machine, causing a denial of
service.

Ruby -- Denial of Service and Unsafe Object Creation Vulnerability in JSON

Aaron Patterson reports:

When parsing certain JSON documents, the JSON gem can be coerced in
to creating Ruby symbols in a target system. Since Ruby symbols
are not garbage collected, this can result in a denial of service
attack.

The same technique can be used to create objects in a target system
that act like internal objects. These "act alike" objects can be
used to bypass certain security mechanisms and can be used as a
spring board for SQL injection attacks in Ruby on Rails.